b"Report No. 13-35                                                                                                           September 27, 2013\n                                          Appalachian Regional Commission\n                                                           Evaluation Report\n\n\n                                                           Table of Contents\n\n         Results of Evaluation .................................................................................... 1\n\n         Areas for Improvement ................................................................................ 2\n            Area for Improvement 1: The agency should implement ongoing scanning to detect\n            vulnerabilities.................................................................................................................. 2\n\n            Area for Improvement 2: The agency should remediate current potential risks. .......... 3\n\n         Management Comments and Our Analysis ............................................... 5\n         Objective, Scope and Methodology ............................................................. 5\n\n\n\n\n                                                                        -i-\n\x0c                       Appalachian Regional Commission\n                                   Evaluation Report\n\n\n                              Results of Evaluation\nThe purpose of this evaluation was to answer the question:\n\n       Is the ARC network's perimeter defense effective?\n\nYes. The ARC network\xe2\x80\x99s perimeter defense is effective.\n\nA penetration test is an attempt to breach a network and gain unauthorized access to its\nresources. On July 1, 2013, we conducted a penetration test of the ARC network using\npublic information. Our search for public information on the ARC network servers\nidentified one potential targets, and the office of CIO provided its network range of 16 IP\naddresses to limit the scope of the scan so it did not impact non-ARC equipment. We\nused software to detect servers and their listening service ports, and then we scanned\nthese servers for vulnerabilities.\n\nThe ARC\xe2\x80\x99s computer network, the ARC network, has over 100 systems, consisting of\nservers, desktops, laptops, printers, phones, and network infrastructure devices. Every\ncomputer is connected to the network with a unique IP (Internet Protocol) address. For\nexample, a desktop PC on the ARC network might have an address like 192.168.50.40. A\ntypical Windows PC could have more than 20 listening ports. Each port serves a\nfunction; for instance, an Internet browser connects to port 80 to request web pages from\na server, and email servers use port 25 to transfer messages. It would be normal for a\nnetwork of 100 systems to present 2,000 listening ports, all potential targets for attack.\n\nThe goal of perimeter defense is to minimize the number of exposed ports, known as the\n\xe2\x80\x9cattack surface.\xe2\x80\x9d A network with no open ports is not a network: open ports are required\nto communicate. Devices such as firewalls are configured to limit the number of ports\nexposed to the Internet, and newer technologies such as Intrusion Detection and\nProtection Systems (IDPS) can provide additional protection by detecting and blocking\nscans meant to identify open ports.\n\nSeveral effective characteristics of the ARC network\xe2\x80\x99s perimeter defense include the\nfollowing:\n\n   \xe2\x80\xa2   The ARC network\xe2\x80\x99s firewalls effectively limit the exposure of internal systems to\n       the Internet. Inside the ARC network, 5,000 or more service ports might be\n       actively listening and responding to requests. From the Internet, only 8 systems\n       and 17 ports were discovered in our scan of the ARC network.\n   \xe2\x80\xa2   We were unable to exploit the systems found to gain unauthorized access to the\n       ARC network.\n   \xe2\x80\xa2   One system allowed registration for access. When we attempted to create a user\n       account, the system denied this request because the details didn\xe2\x80\x99t match some\n\n\n                                           -1-\n\x0c                       Appalachian Regional Commission\n                                  Evaluation Report\n\n\n       requirement. The preregistration process deployed by ARC effectively helps\n       prevent unauthorized access.\n\nIn summary, the ARC network\xe2\x80\x99s perimeter defense effectively prevented our intrusion\nattempts.\n\nAn effective perimeter defense is a significant component of a complete network security\nprogram. An attacker can exploit a network in a number of ways. In general, she can\nattack the network perimeter as we did, or she can bypass the perimeter by tricking a user\ninto letting her in. Means of accomplishing this could be as simple as having a user open\na malicious email or visit an infected website, or by leaving an infected USB drive to be\nfound by an employee near the front door of the building. While the ARC network\xe2\x80\x99s\ncurrent perimeter defense is currently effective, continuous attention and improvement\nare required to ensure that it remains effective in the future.\n\nOur penetration testing did reveal several potential areas for improvement: the agency\nshould implement ongoing scanning to detect vulnerabilities, and it should remediate\ncurrent potential risks vulnerabilities. These areas for improvement are detailed below.\n\n\n\n                            Areas for Improvement\n\n                            Area for Improvement 1:\n      The agency should implement ongoing scanning to detect vulnerabilities.\n\n\nNetworks and their systems evolve over time, either deliberately or by chance. Secure\nsystems installed today will become insecure over time due to newly discovered\nvulnerabilities in their underlying operating system or application software. Furthermore,\nany time changes are made to the existing environment, vulnerabilities can be\ninadvertently introduced. The best means of mitigating this risk is through vulnerability\nscanning, on both a periodic basis and on-demand any time a change is made to the\nenvironment.\n\nEven though it is licensed to use software that can perform vulnerability scanning of its\nperimeter, the ARC is not currently performing this function. The penetration test we\nperformed as part of this evaluation found several potential vulnerabilities. Because\nprevious tests were not performed, it was not known how long these systems had been\nvulnerable. The longer systems remain vulnerable, the more likely it is that they will be\nexploited. Regular testing would have identified these vulnerabilities and enabled timely\nremediation.\n\n\n                                           -2-\n\x0c                       Appalachian Regional Commission\n                                   Evaluation Report\n\n\nIn order to execute the mission of the agency, senior management must remain informed\nof risks to their underlying systems. Regular perimeter scans are a critical source of\ninformation describing risks to an agency\xe2\x80\x99s information systems.\n\nRecommendation 1: Perform scheduled, routine scanning of the perimeter on at least a\nmonthly basis.\n\nRecommendation 2: Perform perimeter scans after new hardware or software is\nintroduced to the ARC perimeter network.\n\n\n\n\n                               Area for Improvement 2:\n                  The agency should remediate current potential risks.\n\n\nThe penetration test we performed identified several potential risks in the agency\xe2\x80\x99s\nwebservers. We were unable to exploit them using the tools and methods within our\nscope of testing, but a determined attacker could use these vulnerabilities to exploit the\nARC\xe2\x80\x99s systems or its users.\n\nThe Commission\xe2\x80\x99s web time and attendance system allows users to enter their username\nand passwords in clear text, instead of requiring encryption, as seen below:\n\n\n\n\n                                            -3-\n\x0c                        Appalachian Regional Commission\n                                  Evaluation Report\n\n\nThis makes it possible for someone to intercept these credentials, and acquire usernames,\npasswords, and unauthorized access to the system. The Commission should encrypt the\nsubmission of passwords on its websites to eliminate this risk to its users and systems.\n\nIn our scan of the network perimeter, we identified several ports responding to the\nInternet that were not necessary for business communications. These ports were found\non the Commission\xe2\x80\x99s on the previously mentioned web time and attendance system and\n\n\n\n\nits firewall product:\n\n\n\nResponding ports provide potential entry-points to the network for authorized and\nunauthorized users alike. The Commission should limit responding ports to those\nnecessary for business communications, and block access to those not needed for that\npurpose.\n\nThe ARC has a responsibility to control access to its data, and to protect users of its\npublic websites from malicious activity. It is possible to improve security by\nreconfiguring the existing devices to remediate the issues found in the perimeter scan.\n\nRecommendation 3: Implement SSL to encrypt access to the web time and attendance\nwebserver.\n\nRecommendation 4: Block access to ports not necessary for business communications.\n\n\n\n\n                                           -4-\n\x0c                       Appalachian Regional Commission\n                                  Evaluation Report\n\n\n              Management Comments and Our Analysis\nOn July 26th, 2013, management provided comments on the draft evaluation report.\nThey concurred with our assessment that the perimeter network defense was effective,\nand that the defense could be further improved through ongoing vulnerability scanning\nand the remediation of current potential risks. They subsequently provided management\ndecisions that would address each of the four recommendations.\n\nAt the time of the final report, the Commission was arranging for a vendor to conduct\nperiodic scans of its Internet-facing network. It was also continuing to attempt to encrypt\nthe Time and Attendance website.\n\n\n\n                    Objective, Scope and Methodology\nObjective:\n       Is the ARC network's perimeter defense effective?\n\nScope:\n       This evaluation included all externally available wired nodes on The ARC\n       network. The device list included but was not limited to all servers, workstations,\n       routers, email gateways and firewalls. The access types attempted included login\n       attempts for the purposes of information gathering, privilege escalation, and\n       establishment of jumping points to other areas of The ARC network\n       infrastructure.\n\n\nMethodology:\n\n   1. From an unfiltered IP address, performed unauthenticated network and device\n      discovery using a toolset to include but not limited to Nessus, Wireshark, and\n      other applications within the BackTrack/Kali tool suite.\n   2. Reviewed and analyzed protocol encryption types, as applicable.\n   3. Performed automated and manual login attacks.\n\n\n\n\n                                           -5-\n\x0c"